Introduction
Organizational and Human Controls
1. a) List the AAA access controls.
Authentication, authorizations, and auditing.
b) Explain each in a sentence.
Authentication is the process of assessing the identity of each individual claiming to have permission to use a resource.
Authorizations are specific permissions that a particular authenticated user should have, given his or her authenticated identity.
Auditing consists of collecting information about the activities of each individual in log files for immediate and later analysis.
c) What are the four bases for authentication credentials?
What you know (a password or a private key)
What you have (a physical key or a smart card)
Who you are (your fingerprint)
What you do (how you specifically pronounce a passphrase)
d) What is two-factor authentication’s promise?
Two-factor authentication promises defense in depth. If one authentication method is broken, the impostor will still not be able to authenticate himself or herself.
e) How can a Trojan horse defeat this promise?
If a client PC is infected with a Trojan horse, the Trojan horse can send transactions when a user has already authenticated himself or herself to an e-commerce site. If a user’s computer is compromised, two-factor authentication means nothing.
f) How can a man-in-the-middle attack defeat this promise?
Two-factor authentication often can be defeated with a man-in-the-middle attack. If a user logs into a fake banking website, the fake site can act as a silent go-between to the real banking website. After the user successfully authenticates, the fake website can execute transactions of its own on the real website.
g) What is RBAC? (Do not just spell it out).
Role-based access control. Authorizations are assigned to roles instead of to individuals.
h) Why is RBAC less expensive than access control based on individual accounts?
Role-based access control is less expensive than access control based on individuals because fewer assignments need be made (as there are much fewer roles to designate than there are people assigned to roles).
i) Why is it less error-prone? (The answer is not specifically in the text.)
Appropriate authorizations are easier to understand for roles than for individuals.
j) Why do technologically strong access controls not provide strong access control in real organizations?
No access control, no matter how strong, will provide strong access control in real organizations unless the organization has well-thought security policies, and then rigorously implements those policies. Humans are ingenious in finding ways to harm themselves, especially when they are not monitored.
Military and National Security Organization Access Controls
2. a) Distinguish between mandatory access controls and discretionary access controls.
In mandatory access control, departments have no ability to alter access control rules set by higher authorities. In principle, this offers very strong security. In practice, this is difficult to sustain because some flexibility is always needed.
In discretionary access control, the department has discretion over giving access to individuals, within policy standards set by higher authorities.
b) What is multilevel security?
Information is classified by level of security (confidential, secret, top secret, etc.). It is assigned security appropriate for its level of classification.
c) What are SBU documents?
SBU documents are sensitive but unclassified.
d) Do they need to be considered in access controls?
Yes.
e) Why are access control models needed?
To cope with complex access control issues involving multilevel security, organizations that use multilevel security must follow complex access control models to determine how to deal with various access situations.
Physical Access and Security
Risk Analysis
ISO/IEC 9.1: Secure Areas
3. a) Why is having a single point of building entry important?
By limiting access points, it is easier to apply protections to people coming into and going out of the building.
b) Why are emergency exits important?
In case of fire or other problems, people must be able to escape.
c) What should be done about them?
Emergency exists should be alarmed, monitored (preferably with cameras), and tested frequently. In all cases, security provisions must be compatible with fire codes. Most importantly, it is illegal to lock fire exits to bar egress.
d) List the four elements of entry authorization in CobiT.
In CobiT, building entry must be justified, authorized, logged, and monitored.
e) Why is loading dock security important?
This is a busy area with many strangers. It is a likely penetration point. In addition, it holds expensive goods that are easy to steal.
f) What access control rules should be applied to loading docks?
Internal employees should have limited access to loading docks (prevents easy passing of material from inside to outside).
External employees should have no access to the building beyond the loading dock (they don’t need it).
Incoming shipments should be inspected and logged.
Outgoing shipments should be separated from incoming shipments to reduce risk of theft.
g) What steps should be taken to reduce the danger of environmental damage?
Hazardous and combustible material should be located away from sensitive areas, and there should be adequate equipment for fire fighting. Disaster response facilities and backup media should be located safely away from the building.
h) List rules for working in secure areas.
Unsupervised work in secure areas should be avoided.
When no one is working in a secure area, it should be locked and checked periodically.
Electronic devices that can record or copy mass amounts of information should be forbidden in secure areas (cameras, cell phones, USB flash drives, external hard drives, non-authorized PCs and laptops, other computing devices). Inspections of personnel entering/leaving secure areas should ensure that this rule is followed. Inspections must follow strict notification and compliance laws.
9.2 Equipment Security
4. a) What is siting?
Siting is a synonym for locating or placing. It is from the root word site.
b) Distinguish between UPSs and electrical generators.
Uninterruptable power supplies (UPSs) have batteries that can supply equipment with power for a brief period of time after an outage. UPSs allow orderly shutdown during power failures.
Electrical generators can be used as backup for longer-duration outages. These run on gasoline.
c) If wiring cannot be run through walls, what should be done to protect the wiring?
If wiring cannot be run through walls, the wiring should be protected by running it through conduits (preferably armored conduits) and should not be run through public areas.
d) What should be done to protect laptops taken off premises?
Laptops should never be left unattended. If for home use, the laptop should be stored in lockable filing cabinets, and all paperwork should be locked away when not in active use, along with the equipment. Having insurance for the laptop is also desirable. For all equipment taken off premises, precautions include:
Be limited to only authorized personnel.
Be logged out and back in.
Have all sensitive information removed.
e) What controls should be applied to off-site equipment maintenance?
Off-site equipment maintenance must:
Be limited to only authorized personnel.
Be logged out and back in.
Have all sensitive information removed.
f) What controls should be applied to equipment disposal or reuse?
When equipment is to be disposed or reused, sensitive data must be removed. If the equipment will not be reused, the hard drive should be destroyed or at very least written over by special software that prevents data from being recovered.
g) What controls should be placed over employees taking equipment off site?
Controls over employees taking equipment off site include:
Ensure proper authorization to remove equipment.
Limited personnel should be able to authorize removal.
Time limits for off-site use should be enforced.
Equipment should be logged in/out.
Periodic spot checks of the above rules should be conducted
Other Physical Security Issues
5. a) What special controls are required by terrorism threats?
Due to increasing threats from terrorism, terrorist attacks must be considered in all matters of physical security. For instance, new buildings should be set back from streets and protected with rolling hill landscaping. In appropriate situations, guards may be armed. Bullet-proof doors may also be needed to guard sensitive areas.
b) Why is it necessary to prevent piggybacking?
Unless piggybacking is eliminated, physical access security is nearly impossible.
c) What advice would you give a company about CCTV?
I would tell the company that CCTV tapes will wear out, high resolution cameras are expensive and consume a great deal of disk space, low resolution cameras may be insufficient for recognition needs and to reduce storage they should use motion sensing.
d) What is DumpsterTM diving?
DumpsterTM diving is an attack in which an attacker goes through a firm’s trash bins looking for documents, backup tapes, floppy disks, and other information-carrying media.
e) How should trash bins be protected?
Building trash bins should be located in a secure and lighted area, preferably under CCTV surveillance. This area must be on the company premises, because once building trash bins are moved beyond the company premises, their contents usually are considered to be abandoned and have no legal protection.
f) What can be done to reduce the dangers of desktop PC theft and unauthorized use?
To reduce the danger of theft, individual desktop PCs in ordinary office areas can be locked onto their desks with a cable—provided that there is something on the desk to wrap the cable around. In addition, each PC should have a login screen that requires a complex password and a screen saver so that an intruder cannot simply walk up to it and use it.
Passwords
Password-Cracking Programs
6. a) What are reusable passwords?
Reusable passwords are passwords that are used for weeks or months at a time.
b) Why is password cracking over a network difficult to do?
Password cracking over a network is difficult to do because the attacker will almost always be locked out after a few attempts.
c) In what two ways can password-cracking programs be used?
Password-cracking programs can be loaded on a server (assuming the hacker can gain access to the server) to try thousands of possible account name/password combinations per second until one works. Also, if the attacker can gain access to the password file from a computer, he can copy the file and attempt to crack into it on another machine in a less obtrusive manner.
d) Which is safer for the cracker? Why?
Stealing the password file and cracking it elsewhere is safer. There is no need to wait around by a compromised server while the password cracking program does its work.
Lost Passwords
7. a) Why is it a problem to use the same password at multiple sites?
Using the same password at multiple sites is bad because when a password is compromised at one site, it is compromised at all sites, expanding the risk of the compromise.
b) Why is it difficult to enforce a policy of using a different password at each site?
It is difficult to enforce a policy of using a different password at each site because it is difficult for users to remember different passwords for different sites. Using different passwords is even difficult if the passwords are written in a password book.
c) Why are password duration policies important?
If passwords are not changed frequently, if an attacker cracks the password, he or she will be able to use it for a long period of time.
d) What are password resets?
A password reset is the action taken by a help desk employee to create a new password for an account when the current password is lost or forgotten.
e) Why are password resets dangerous?
Password resets are dangerous because they are susceptible to social engineering by an imposter that can convince help desk personnel to reset a password, thus giving access to that account to the bad guy and locking out the appropriate account holder.
f) How can password resets be automated?
Password resets can be automated by using a system that asks the person requesting a reset to answer one or more secret questions, giving answers the authentic user gave at registration time.
g) Why are password reset questions difficult to create?
Password reset questions are difficult to create because:
Some questions themselves are security violations (such as asking for SSN or mother’s maiden name).
Some questions are easily answered by an attacker with a little knowledge of the user (city of birth, pet’s name).
Some questions are too hard to remember or difficult to answer (favorite song, favorite teacher in high school).
Some questions require exact spelling (especially difficult with names) which can cause the password reset answer to fail too often.
h) How may password resets be handled in high-risk environments?
In high-risk environments, password resets might best be handled by eliminating remote password resets altogether and requiring the users to go to the help desk in person and show ID.
For the DoD’s Common Access Card (CAC), each user creates a six or eight digit PIN. Accessing an IT service, using the CAC, gets only three tries. After three incorrect tries, the CAC locks itself and unlocking requires the user to physically go to a CAC issuance facility (which in some places only takes appointments several days in advance).
Password Strength
Password Auditing
8. a) What is the book’s recommended password policy for length and complexity?
The book’s recommended password policy for length and complexity is:
Be at least eight characters long (although current DoD policy is 16 characters).
Have at least one change of case (DoD policy is two upper, two lower case, but no requirement for placement).
Have at least one digit (DoD policy is two).
Have at least one non-alphanumeric character not at the end of a password (DoD policy is two).
(Another DoD policy is that keyboard shortcuts are not to be used [such as some combination of “asdf;lkj”])
b) How can password-cracking programs be used to enforce password strength policy?
Password-cracking programs can be used to enforce password strength policy by having systems administrators run a password-cracking program against their own servers to check for policy violations in password length and complexity.
c) Before you run a password cracking program on your company’s computers to check for weak passwords, what should you do?
Before running a password cracking program on your company’s computers to check for weak passwords, get permission! Have a memo providing permission to do a very specific set of actions and then do not deviate without further written permission.
Other Password Policies
The End of Passwords?
9. What is the likely future of passwords?
Passwords are likely to be phased out in the fairly near future primarily because they are such a significant weakness. Password cracking has gotten easier and faster, and users are limited in their ability to handle truly strong passwords.
Access Cards and Tokens
Access Cards
Tokens
Proximity Access Tokens
Addressing Loss and Theft
10. a) Distinguish between magnetic stripe cards and smart cards.
A magnetic stripe card is a simple access card that can store authentication data.
A smart card looks like a magnetic stripe card but has a built-in microprocessor and memory. This allows smart cards to do processing for more sophisticated authentication. Smart cards can also give out information differentially to different applications. While magnetic stripe cards are passive, only containing data, smart cards are active.
b) What are one-time-password tokens?
One-time-password tokens are small devices with displays that have a number that changes frequently. Users must type the current number into key locks or into their computer.
c) What are USB tokens?
A USB token is a small device that plugs into a computer’s USB port to identify the owner.
d) What is the advantage of USB tokens compared to cards?
USB tokens can be used to authenticate a user without the cost of having a smart card reader attached to the PC (all modern PCs have USB ports).
e) What is the attraction of proximity tokens?
Proximity tokens are attractive because they do not require physical contact with a reader or USB port, which is faster than directly interacting with a device.
11. a) Why is it important to disable lost or stolen access devices?
If you do not disable them immediately, then someone stealing one can continue to use it indefinitely.
b) Give an example of two-factor authentication not mentioned in the text.
Student answers will vary.
c) What is a PIN?
A PIN is a personal identification number. It is a short number you type in manually to authenticate yourself—often in conjunction with another authentication factor.
d) Why can PINs be short—only four to six digits—while passwords must be much longer?
Passwords need to be long because attackers can try millions of comparisons per second. However, people must enter PINs manually, so attackers can only enter a PIN every second or two. In addition, someone standing over an access door trying many PIN codes would be highly conspicuous and therefore vulnerable to detection.
Biometric Authentication
Biometrics
12. a) What is biometric authentication?
Biometric authentication is authentication based on biological metrics.
b) On what two things about you is biometric authentication based?
Biometric authentication is based upon something you are (a physical feature) and something you do (an action).
c) What is the major promise of biometrics?
The major promise of biometrics is to make reusable passwords obsolete.
Biometric Systems
13. a) Describe the three scanner actions in the enrollment process.
First, the reader scans each person’s biometric data.
The reader then processes the enrollment scan to extract a few key features from the mass of scanned data.
Finally, the reader sends the key feature data to the database, which stores the key feature data as the user’s template.
b) What are key features?
Key features are specific metrics extracted from the scanning data. Two scans will never give the same scanning data, but they should give generally the same key features, such as the relative locations of arches and whorls in a fingerprint.
c) Why are they necessary?
Key features are necessary because raw biometric scans will be different each time due to nuanced actions (pressure, angle of scanning, interfering substance, etc.), but key features will be the same (or almost the same) no matter how a finger is scanned.
d) What does the server do with the key features created by the enrollment scan?
It uses these key features as the template for that user.
e) What is a template?
A template is the file entry containing key features from the enrollment process for a single individual.
f) What is user access data?
This is data collected during an access attempt scan, as opposed to the scanning data during enrollment.
g) What are match indices, and how are they related to decision criteria?
A match index compares access key features with the template. Because scanning never works exactly the same way twice, if the match index is close enough to satisfy the system’s configurable decision criteria, the supplicant is accepted.
Biometric Errors
14. a) In biometrics, what is a match?
In biometrics, a match occurs when a match index (comparison of access key features and the template) meets the decision criteria.
b) Distinguish between false acceptances and false rejections.
A false acceptance occurs when a person is improperly matched to a template. False rejection occurs when a person is improperly not matched to a template.
c) What are false acceptance rates (FARs) and false rejection rates (FRRs)?
These are the percentages of time there is a false acceptance or a false rejection when there is a scan.
d) For computer access, why is a false acceptance bad?
For computer access, false acceptance is bad because someone other than the authorized user, possibly an imposter, will gain access to the resource.
e) Why is a false rejection bad?
False rejection is bad because a legitimate user is denied access to a resource.
f) Which is worse from a security viewpoint?
For computer access, a false acceptance is worse because it allows an unauthorized person through the door, giving the person access to sensitive building space.
g) Which is worse from a user acceptance viewpoint?
A false rejection is worse, because it lets an attacker in.
15. a) For watch lists of criminals, what is a false acceptance?
For watch lists of criminals, a false acceptance means that an innocent person is identified as a criminal.
b) For watch lists of criminals, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain.
For a watch list of criminals, false rejection is worse from a security viewpoint because it means a criminal was not identified.
c) For watch lists of people who should be allowed to enter a room, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain.
From a security viewpoint, a false acceptance is a worse error because it means a non-authorized person has improperly gained access to a resource. A false rejection would merely keep an authorized user out of the space, which is an inconvenience, but harmless in most cases.
16. What is failure to enroll?
Failure to enroll is an error that occurs if a system will not enroll a user, for example if a person does not have well-defined fingerprints.
Verification, Identification, and Watch Lists
17. a) Distinguish between verification and identification.
Verification is an action where the verifier determines whether the supplicant is a particular person that is claimed.
In identification, the verifier determines the identity of the supplicant; the supplicant does not claim to be a particular person.
b) Which requires more matches against templates?
Identification requires more matches against templates than verification because in verification, a specific identity is being claimed by the supplicant. In identification, no identity is being claimed, so the verifier has to review the templates for all users.
c) Which is more likely to generate a false acceptance? Why?
There is a small chance of a false acceptance every time a match is attempted. Because identification requires checking the supplicant against every template in a system, there is a greater chance that identification will generate a false acceptance than verification (which compares the supplicant with only one template).
d) Compare identification with watch list matching.
Watch list matching is a form of identification that identifies a person as being a member of a group. For instance, the matches may be made against the templates of people on a terrorist watch list. A match has to be attempted against each template in the list.
e) Which is more likely to generate a false match? Why?
There is a small chance of a false acceptance with each match attempt. Identification must attempt matches against all templates in the database. Watch lists only require match attempts against the templates of member of the group. Therefore, identification is likely to generate more false matches.
18. a) Suppose that the probability of a false acceptance is one in a million, that there are 10,000 identities in the database, and that there is a watch list with 100 people. What will be the FAR for verification?
Verification only attempts a single match.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is one in a million.
b) For identification?
Identification will attempt 10,000 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 10,000. (0.01).
Therefore, the probability of a false acceptance is 1%.
c) For the watch list?
A watch list will attempt 100 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 100. (0.0001).
Therefore, the probability of a false acceptance is 0.01%.
Biometric Deception
19. a) Distinguish between error rates and deception in biometrics.
Error rates measure the accuracy when a supplicant is not trying to deceive the system.
In contrast, deception occurs when an attacker deliberately attempts to fool the system.
b) Why may fingerprint scanning, which is often deceived, be acceptable for entry into a supplies cabinet?
Basically, because a supplies cabinet does not hold sensitive information and it is not likely to get attacked by a sophisticated attacker.
c) When may it not be sufficient?
Fingerprint scanning may not be sufficient when it is used to control access to very sensitive/important resources where the impact of deception is potentially very great.
Biometric Methods
20. a) What is the advantage of fingerprint recognition?
The main advantage of fingerprint recognition is that the technology of fingerprint scanners is inexpensive.
b) What are the disadvantages?
The main disadvantage of fingerprint recognition is that it is easily deceived in all but the most advanced and expensive fingerprint scanner technologies.
c) For what type of use is fingerprint recognition sufficient?
Fingerprint recognition should only be used in applications for which there is little danger of serious deception. An example would be logging into a personal computer that does not hold sensitive information.
d) What is the advantage of iris recognition?
It is the most precise form of biometric authentication, with very low FARs.
e) What are the disadvantages?
The main disadvantage of iris recognition is that the technology is very expensive.
f) Does iris scanning shoot light into your eye?
No
21. a) What is the advantage of face recognition?
The main advantage of face recognition is that it can be used surreptitiously (without the subject’s knowledge).
b) What does surreptitious mean?
Surreptitious means “without the subject’s knowledge.”
c) Where is hand geometry recognition used?
Hand geometry recognition is used mostly in door access control.
d) What are the disadvantages of voiceprint recognition?
One disadvantage of voiceprint recognition is that it is easily deceived by recordings. Another is that high false rejection rates make voice recognition frustrating to users.
e) What are the most widely used forms of biometric authentication?
Fingerprint, iris, face, and hand geometry are the most widely used types of biometric authentication today.
f) What is the most widely used form of biometrics?
The most widely used form of biometrics is fingerprint recognition, primarily because it is cheap.
Cryptographic Authentication
Key Points from Chapters 3
Public Key Infrastructures (PKIs)
22. a) What is the strongest form of authentication?
Cryptographic authentication is the strongest form of authentication.
b) List the functions of a PKI.
Creating public key–private key pairs.
Distributing digital certificates.
Accepting digital certificates.
Learning a certificate’s revocation status.
Provisioning new users and changing data on existing users.
Having strong initial authentication.
c) Can a firm be its own certificate authority?
Yes
d) What is the advantage of doing so?
The advantage of being its own CA means that firms have control of trust in their entire PKI.
e) Who creates a computer’s private key/public key pair?
Private/public key pairs are normally created on the client, versus the PKI server.
f) How do CAs distribute public keys?
In digital certificates.
g) What is provisioning?
In the context of PKI, provisioning is the accepting of public keys and providing new digital certificates to the users (a very expensive component of the PKI).
h) What is the prime authentication problem?
The prime authentication problem is that unless individuals are carefully vetted before being allowed in a system, imposters can simply enroll through social engineering.
i) What can be done to reduce this risk?
The only thing that can be done to reduce the risk of the prime authentication problem is have strong procedures for who may submit a request for an account, who may approve it (always a different party than the applicant), what identification is required, and how to handle exceptions. The procedure must be carefully enforced and audited.
Authorization
The Principle of Least Permissions
23. a) Why are authorizations needed after a person is authenticated?
Simply knowing the identity of the communicating partner is not enough. The specific authorizations of the communicating party also need to be defined. Not everyone who is authenticated may be allowed to do anything he or she wishes in every directory.
b) What is another name for authorizations?
Permissions
c) What is the principle of least permissions?
The principle of least permissions is that each person should only get the permissions that he or she absolutely needs to do his or her job. In practice, this is very difficult to enforce, primarily because there are not enough security personnel to keep track of transient permission requirements.
d) Why is it a good way to assign initial permissions?
Following the principle of least permissions is a good way to assign initial permissions because any error will likely be too restrictive (an inconvenience). Errors will not result in excessive permissions, which would be security violations. In essence, the system would fail safely.
e) What is bad about assigning all permissions and then taking away the permissions a user does not need?
The bad thing about assigning all permissions and then taking away those not needed is that it is easy for security to mistakenly not remove a permission that is not required, thus allowing access beyond that authorized.
f) What does failing safely mean in a security system?
Failing safely in a security system means that a failure is not likely to lead to security violations. The principal of least permissions ensures that users are not given too many permissions if an error is made.
Auditing
Logging
Log Reading
24. a) What is auditing?
Auditing records and analyzes what the person or program actually did, rather than what was theoretically authorized.
b) Why is it necessary?
Unless authentication and authorization activities are audited frequently, improper behavior can go on for a very long time.
c) Why is log reading important?
Logging records the actions that an account owner takes on a resource. Unless logs are studied/read, they are useless.
d) What are the three types of actions that should be taken on log files?
They should be read regularly by someone that knows what they are looking at.
External auditing should be conducted periodically.
Automatic alerts should be established to provide security administrators with real-time feedback.
e) Why are automatic alerts desirable?
Reading log files only tells you about the past. Ideally, logging systems should have active log-reading functions that send the security administrator real-time alerts for certain types of events.
Central Authentication Servers
The Need for Centralized Authentication
25. a) What are the three devices in central authentication using RADIUS servers?
The three devices in central authentication are the supplicant, authenticator, and RADIUS central authentication server.
b) What is the role of the authenticator?
To send the supplicant’s credentials to the authentication server and then sends a message of authentication back to supplicant from authentication server.
c) What is the role of the central authentication server?
To test the validity of credentials provided by the user.
Kerberos
26. a) In Kerberos, distinguish between the ticket granting ticket and the service ticket.
The ticket granting ticket is the supplicant’s proof that it has already authenticated itself with the Kerberos server. The service ticket is an encrypted session key that only the verifier can decrypt (due to sharing a key with the Kerberos server in a separate communication).
b) What information does the service ticket give the verifier?
The service ticket gives the verifier the symmetric session key to use with the supplicant. The session ticket may also contain permissions that the supplicant should have on the verifier.
c) How does the supplicant get the symmetric session key?
The supplicant gets the symmetric session key from the Kerberos server when the service ticket is sent to the verifier; the session key from the Kerberos server is encrypted to only be read by the server and supplicant.
d) Is the verifier notified explicitly that the supplicant has been authenticated? Explain.
The verifier is not notified explicitly that the supplicant has been authenticated. Authentication is implicit in that if the supplicant has the symmetric session key to communicate with the verifier, it must have been authenticated with the Kerberos server (which generated the session key and would only give it out to an authenticated computer).
Directory Servers
What Are Directory Servers?
Hierarchical Data Organization
27. a) How is information in directory servers organized?
The information in directory servers is organized as a directory server database schema in a hierarchical collection of objects.
b) What are the top two levels of the organization?
Top level = the Organization. This is the name of the organization.
Below the top level are organization units (OU). There can be many OUs.
c) Do directory servers only hold information about people?
They hold information about many other types of company resources, such as computers.
Lightweight Data Access Protocol (LDAP)
28. What is LDAP’s purpose?
LDAP’s main purpose is to retrieve data from the directory server. However, it can also be used to update information in the directory server.
Use by Authentication Servers
29. a) How do central authentication servers often get their authentication information?
Central authentication servers often get their authentication information from directory servers.
b) What is the advantage of this?
It permits the directory server to be the company’s main repository for information.
Active Directory
30. a) What is Microsoft’s directory server product?
Microsoft’s directory server product is Active Directory (AD).
b) What is the smallest organizational unit in Active Directory?
The organizational unit.
c) What two things does a domain controller contain?
The domain controller contains an active directory database and a Kerberos authentication server program.
d) Can a domain have multiple domain controllers?
Yes
e) What is the advantage of having multiple domain controllers?
The advantage is that having multiple domain controllers gives reliability in case one crashes or is successfully attacked.
f) Into what larger structures are domains organized?
Trees
g) Into what larger structure can trees be organized?
Forests
h) Describe replication among domain controllers within a single AD domain.
Within a single AD domain, there is total replication between domain controllers.
i) Describe replication between a domain controller in one domain and the domain controller in the parent domain.
There is partial replication of data to the next-higher-level database.
Trust
31. a) Distinguish between mutual and one-way trust among AD domains.
In mutual trust, each directory server trusts the other.
In one-way trust, one directly server trusts the other, but there is no trust in the opposite direction.
b) Distinguish between transitive and intransitive trust.
An example of transitive trust would be if A trusts B and B trusts C, then A trusts C automatically. An example of intransitive trust would be if A trusts B and B trusts C, this does not mean that A trusts C automatically.
c) What principle should companies follow in making trust assignments?
Give only as much trust as necessary.
Toward Full Identity Management
Other Directory Servers and Metadirectories
32. a) Why are metadirectory servers needed?
To coordinate information across different types of directory servers.
b) What do metadirectory servers do?
The metadirectory server gets the directory servers to exchange information and to synchronize services in a variety of ways.
Federated Identity Management
33. a) In federated identity management, do firms query one another’s identity management databases?
In federated identify management, firms do not query one another’s identity management databases. Instead, they send assertion statements that may include authenticity, authorization, and attribute information.
b) What do they do instead?
They send assertions to each other.
c) What risk does this method avoid for the firm sending the security assertion?
This method avoids the risk of potential attacks from the other company because the other company never gets direct access to corporate resources.
d) How are risks to Firm B reduced?
The firms first carefully negotiate a contract before hand. The contract specifies penalties if Firm A sends false assertions.
e) What is a security assertion?
An assertion is a statement from Firm A to Firm B that Firm B should accept as true if Firm B trusts Firm A.
f) What three things may it contain?
Authenticity information, such as the employee is an employee by that name and has been authenticated by Firm A.
Authorization information stating that the employee is allowed to access Firm B’s services.
Attributes that describe features of the employee (such as spending limit).
g) What is the main standard for one firm to send security assertion to another firm?
The main standard for sending security assertions today is the Security Assertion Markup Language (SAML).
h) What is the major benefit of using XML?
The major benefit of using XML in SAML is that it is platform independent; this means that it does not matter what programming language either firm uses as long as they implement XML successfully.
Identity Management
34. a) What is identity management?
Identify management is the centralized policy-based management of all information required for access to corporate systems by people, machines, programs, or other resources.
b) What are the benefits of identity management?
Reduced costs by reducing the work need to manage user access, including provisioning, password resets, and so forth.
Enforcing consistency by permitting a single change on an identity management server to affect employee access permission on all servers in an organization.
Centralized auditing of all an employee’s access permissions across a firm
Possible use of single sign-on or at least reduced sign-on.
c) What is SSO?
Single sign-on allows a user to authenticate himself or herself to the identity management server once; from that point on, whenever the user asks for access to a specific server, no additional logins are required.
d) Why is full SSO generally impossible?
It is technically impossible.
e) What is reduced sign-on?
It is single sign-on to some resources but not all resources as in full SSO.
f) What is an identity?
An identity is the set of attributes about a person or resource that must be revealed in a particular context.
g) Why is providing minimum identity data an important principle?
You will not accidentally reveal information about yourself that you do not have to reveal and that may be used against you.
35. a) In identity management, what are provisioning, reprovisioning, and deprovisioning?
Provisioning entails granting authorizations and authentications carefully and then changing them whenever roles or other conditions change. Reprovisioning occurs when there are changes.
Deprovisioning occurs when the authorizations and authentications are no longer appropriate (employee leaves the company).
b) Why is decentralized management desirable?
Decentralized management is desirable because identities should be managed by people closest to the situation.
c) Why are self-service functions desirable?
To reduce costs of the identity management staff.
d) What changes should be made through self-service functions?
Only nonsensitive information changes should be made through self-service functions.
Trust and Risk
36. a) In what sense is identity management really just another form of risk management?
Identity management affords risk reduction by reducing risk from individuals accessing computer resources to acceptable levels. Risk reduction is the primary risk management technique.
b) How can identity management reduce risk?
Identity management can reduce risk by limiting the amount of potential damage an employee can do based upon computer resource privileges, as well as affords detection (via auditing) of malicious activities in real time.
c) How much should companies spend on identity management? A company must balance these risk reductions with the amount of money that identity management will cost to implement over their entire life cycle.
Organizational and Human Controls
1. a) List the AAA access controls.
Authentication, authorizations, and auditing.
b) Explain each in a sentence.
Authentication is the process of assessing the identity of each individual claiming to have permission to use a resource.
Authorizations are specific permissions that a particular authenticated user should have, given his or her authenticated identity.
Auditing consists of collecting information about the activities of each individual in log files for immediate and later analysis.
c) What are the four bases for authentication credentials?
What you know (a password or a private key)
What you have (a physical key or a smart card)
Who you are (your fingerprint)
What you do (how you specifically pronounce a passphrase)
d) What is two-factor authentication’s promise?
Two-factor authentication promises defense in depth. If one authentication method is broken, the impostor will still not be able to authenticate himself or herself.
e) How can a Trojan horse defeat this promise?
If a client PC is infected with a Trojan horse, the Trojan horse can send transactions when a user has already authenticated himself or herself to an e-commerce site. If a user’s computer is compromised, two-factor authentication means nothing.
f) How can a man-in-the-middle attack defeat this promise?
Two-factor authentication often can be defeated with a man-in-the-middle attack. If a user logs into a fake banking website, the fake site can act as a silent go-between to the real banking website. After the user successfully authenticates, the fake website can execute transactions of its own on the real website.
g) What is RBAC? (Do not just spell it out).
Role-based access control. Authorizations are assigned to roles instead of to individuals.
h) Why is RBAC less expensive than access control based on individual accounts?
Role-based access control is less expensive than access control based on individuals because fewer assignments need be made (as there are much fewer roles to designate than there are people assigned to roles).
i) Why is it less error-prone? (The answer is not specifically in the text.)
Appropriate authorizations are easier to understand for roles than for individuals.
j) Why do technologically strong access controls not provide strong access control in real organizations?
No access control, no matter how strong, will provide strong access control in real organizations unless the organization has well-thought security policies, and then rigorously implements those policies. Humans are ingenious in finding ways to harm themselves, especially when they are not monitored.
Military and National Security Organization Access Controls
2. a) Distinguish between mandatory access controls and discretionary access controls.
In mandatory access control, departments have no ability to alter access control rules set by higher authorities. In principle, this offers very strong security. In practice, this is difficult to sustain because some flexibility is always needed.
In discretionary access control, the department has discretion over giving access to individuals, within policy standards set by higher authorities.
b) What is multilevel security?
Information is classified by level of security (confidential, secret, top secret, etc.). It is assigned security appropriate for its level of classification.
c) What are SBU documents?
SBU documents are sensitive but unclassified.
d) Do they need to be considered in access controls?
Yes.
e) Why are access control models needed?
To cope with complex access control issues involving multilevel security, organizations that use multilevel security must follow complex access control models to determine how to deal with various access situations.
Physical Access and Security
Risk Analysis
ISO/IEC 9.1: Secure Areas
3. a) Why is having a single point of building entry important?
By limiting access points, it is easier to apply protections to people coming into and going out of the building.
b) Why are emergency exits important?
In case of fire or other problems, people must be able to escape.
c) What should be done about them?
Emergency exists should be alarmed, monitored (preferably with cameras), and tested frequently. In all cases, security provisions must be compatible with fire codes. Most importantly, it is illegal to lock fire exits to bar egress.
d) List the four elements of entry authorization in CobiT.
In CobiT, building entry must be justified, authorized, logged, and monitored.
e) Why is loading dock security important?
This is a busy area with many strangers. It is a likely penetration point. In addition, it holds expensive goods that are easy to steal.
f) What access control rules should be applied to loading docks?
Internal employees should have limited access to loading docks (prevents easy passing of material from inside to outside).
External employees should have no access to the building beyond the loading dock (they don’t need it).
Incoming shipments should be inspected and logged.
Outgoing shipments should be separated from incoming shipments to reduce risk of theft.
g) What steps should be taken to reduce the danger of environmental damage?
Hazardous and combustible material should be located away from sensitive areas, and there should be adequate equipment for fire fighting. Disaster response facilities and backup media should be located safely away from the building.
h) List rules for working in secure areas.
Unsupervised work in secure areas should be avoided.
When no one is working in a secure area, it should be locked and checked periodically.
Electronic devices that can record or copy mass amounts of information should be forbidden in secure areas (cameras, cell phones, USB flash drives, external hard drives, non-authorized PCs and laptops, other computing devices). Inspections of personnel entering/leaving secure areas should ensure that this rule is followed. Inspections must follow strict notification and compliance laws.
9.2 Equipment Security
4. a) What is siting?
Siting is a synonym for locating or placing. It is from the root word site.
b) Distinguish between UPSs and electrical generators.
Uninterruptable power supplies (UPSs) have batteries that can supply equipment with power for a brief period of time after an outage. UPSs allow orderly shutdown during power failures.
Electrical generators can be used as backup for longer-duration outages. These run on gasoline.
c) If wiring cannot be run through walls, what should be done to protect the wiring?
If wiring cannot be run through walls, the wiring should be protected by running it through conduits (preferably armored conduits) and should not be run through public areas.
d) What should be done to protect laptops taken off premises?
Laptops should never be left unattended. If for home use, the laptop should be stored in lockable filing cabinets, and all paperwork should be locked away when not in active use, along with the equipment. Having insurance for the laptop is also desirable. For all equipment taken off premises, precautions include:
Be limited to only authorized personnel.
Be logged out and back in.
Have all sensitive information removed.
e) What controls should be applied to off-site equipment maintenance?
Off-site equipment maintenance must:
Be limited to only authorized personnel.
Be logged out and back in.
Have all sensitive information removed.
f) What controls should be applied to equipment disposal or reuse?
When equipment is to be disposed or reused, sensitive data must be removed. If the equipment will not be reused, the hard drive should be destroyed or at very least written over by special software that prevents data from being recovered.
g) What controls should be placed over employees taking equipment off site?
Controls over employees taking equipment off site include:
Ensure proper authorization to remove equipment.
Limited personnel should be able to authorize removal.
Time limits for off-site use should be enforced.
Equipment should be logged in/out.
Periodic spot checks of the above rules should be conducted
Other Physical Security Issues
5. a) What special controls are required by terrorism threats?
Due to increasing threats from terrorism, terrorist attacks must be considered in all matters of physical security. For instance, new buildings should be set back from streets and protected with rolling hill landscaping. In appropriate situations, guards may be armed. Bullet-proof doors may also be needed to guard sensitive areas.
b) Why is it necessary to prevent piggybacking?
Unless piggybacking is eliminated, physical access security is nearly impossible.
c) What advice would you give a company about CCTV?
I would tell the company that CCTV tapes will wear out, high resolution cameras are expensive and consume a great deal of disk space, low resolution cameras may be insufficient for recognition needs and to reduce storage they should use motion sensing.
d) What is DumpsterTM diving?
DumpsterTM diving is an attack in which an attacker goes through a firm’s trash bins looking for documents, backup tapes, floppy disks, and other information-carrying media.
e) How should trash bins be protected?
Building trash bins should be located in a secure and lighted area, preferably under CCTV surveillance. This area must be on the company premises, because once building trash bins are moved beyond the company premises, their contents usually are considered to be abandoned and have no legal protection.
f) What can be done to reduce the dangers of desktop PC theft and unauthorized use?
To reduce the danger of theft, individual desktop PCs in ordinary office areas can be locked onto their desks with a cable—provided that there is something on the desk to wrap the cable around. In addition, each PC should have a login screen that requires a complex password and a screen saver so that an intruder cannot simply walk up to it and use it.
Passwords
Password-Cracking Programs
6. a) What are reusable passwords?
Reusable passwords are passwords that are used for weeks or months at a time.
b) Why is password cracking over a network difficult to do?
Password cracking over a network is difficult to do because the attacker will almost always be locked out after a few attempts.
c) In what two ways can password-cracking programs be used?
Password-cracking programs can be loaded on a server (assuming the hacker can gain access to the server) to try thousands of possible account name/password combinations per second until one works. Also, if the attacker can gain access to the password file from a computer, he can copy the file and attempt to crack into it on another machine in a less obtrusive manner.
d) Which is safer for the cracker? Why?
Stealing the password file and cracking it elsewhere is safer. There is no need to wait around by a compromised server while the password cracking program does its work.
Lost Passwords
7. a) Why is it a problem to use the same password at multiple sites?
Using the same password at multiple sites is bad because when a password is compromised at one site, it is compromised at all sites, expanding the risk of the compromise.
b) Why is it difficult to enforce a policy of using a different password at each site?
It is difficult to enforce a policy of using a different password at each site because it is difficult for users to remember different passwords for different sites. Using different passwords is even difficult if the passwords are written in a password book.
c) Why are password duration policies important?
If passwords are not changed frequently, if an attacker cracks the password, he or she will be able to use it for a long period of time.
d) What are password resets?
A password reset is the action taken by a help desk employee to create a new password for an account when the current password is lost or forgotten.
e) Why are password resets dangerous?
Password resets are dangerous because they are susceptible to social engineering by an imposter that can convince help desk personnel to reset a password, thus giving access to that account to the bad guy and locking out the appropriate account holder.
f) How can password resets be automated?
Password resets can be automated by using a system that asks the person requesting a reset to answer one or more secret questions, giving answers the authentic user gave at registration time.
g) Why are password reset questions difficult to create?
Password reset questions are difficult to create because:
Some questions themselves are security violations (such as asking for SSN or mother’s maiden name).
Some questions are easily answered by an attacker with a little knowledge of the user (city of birth, pet’s name).
Some questions are too hard to remember or difficult to answer (favorite song, favorite teacher in high school).
Some questions require exact spelling (especially difficult with names) which can cause the password reset answer to fail too often.
h) How may password resets be handled in high-risk environments?
In high-risk environments, password resets might best be handled by eliminating remote password resets altogether and requiring the users to go to the help desk in person and show ID.
For the DoD’s Common Access Card (CAC), each user creates a six or eight digit PIN. Accessing an IT service, using the CAC, gets only three tries. After three incorrect tries, the CAC locks itself and unlocking requires the user to physically go to a CAC issuance facility (which in some places only takes appointments several days in advance).
Password Strength
Password Auditing
8. a) What is the book’s recommended password policy for length and complexity?
The book’s recommended password policy for length and complexity is:
Be at least eight characters long (although current DoD policy is 16 characters).
Have at least one change of case (DoD policy is two upper, two lower case, but no requirement for placement).
Have at least one digit (DoD policy is two).
Have at least one non-alphanumeric character not at the end of a password (DoD policy is two).
(Another DoD policy is that keyboard shortcuts are not to be used [such as some combination of “asdf;lkj”])
b) How can password-cracking programs be used to enforce password strength policy?
Password-cracking programs can be used to enforce password strength policy by having systems administrators run a password-cracking program against their own servers to check for policy violations in password length and complexity.
c) Before you run a password cracking program on your company’s computers to check for weak passwords, what should you do?
Before running a password cracking program on your company’s computers to check for weak passwords, get permission! Have a memo providing permission to do a very specific set of actions and then do not deviate without further written permission.
Other Password Policies
The End of Passwords?
9. What is the likely future of passwords?
Passwords are likely to be phased out in the fairly near future primarily because they are such a significant weakness. Password cracking has gotten easier and faster, and users are limited in their ability to handle truly strong passwords.
Access Cards and Tokens
Access Cards
Tokens
Proximity Access Tokens
Addressing Loss and Theft
10. a) Distinguish between magnetic stripe cards and smart cards.
A magnetic stripe card is a simple access card that can store authentication data.
A smart card looks like a magnetic stripe card but has a built-in microprocessor and memory. This allows smart cards to do processing for more sophisticated authentication. Smart cards can also give out information differentially to different applications. While magnetic stripe cards are passive, only containing data, smart cards are active.
b) What are one-time-password tokens?
One-time-password tokens are small devices with displays that have a number that changes frequently. Users must type the current number into key locks or into their computer.
c) What are USB tokens?
A USB token is a small device that plugs into a computer’s USB port to identify the owner.
d) What is the advantage of USB tokens compared to cards?
USB tokens can be used to authenticate a user without the cost of having a smart card reader attached to the PC (all modern PCs have USB ports).
e) What is the attraction of proximity tokens?
Proximity tokens are attractive because they do not require physical contact with a reader or USB port, which is faster than directly interacting with a device.
11. a) Why is it important to disable lost or stolen access devices?
If you do not disable them immediately, then someone stealing one can continue to use it indefinitely.
b) Give an example of two-factor authentication not mentioned in the text.
Student answers will vary.
c) What is a PIN?
A PIN is a personal identification number. It is a short number you type in manually to authenticate yourself—often in conjunction with another authentication factor.
d) Why can PINs be short—only four to six digits—while passwords must be much longer?
Passwords need to be long because attackers can try millions of comparisons per second. However, people must enter PINs manually, so attackers can only enter a PIN every second or two. In addition, someone standing over an access door trying many PIN codes would be highly conspicuous and therefore vulnerable to detection.
Biometric Authentication
Biometrics
12. a) What is biometric authentication?
Biometric authentication is authentication based on biological metrics.
b) On what two things about you is biometric authentication based?
Biometric authentication is based upon something you are (a physical feature) and something you do (an action).
c) What is the major promise of biometrics?
The major promise of biometrics is to make reusable passwords obsolete.
Biometric Systems
13. a) Describe the three scanner actions in the enrollment process.
First, the reader scans each person’s biometric data.
The reader then processes the enrollment scan to extract a few key features from the mass of scanned data.
Finally, the reader sends the key feature data to the database, which stores the key feature data as the user’s template.
b) What are key features?
Key features are specific metrics extracted from the scanning data. Two scans will never give the same scanning data, but they should give generally the same key features, such as the relative locations of arches and whorls in a fingerprint.
c) Why are they necessary?
Key features are necessary because raw biometric scans will be different each time due to nuanced actions (pressure, angle of scanning, interfering substance, etc.), but key features will be the same (or almost the same) no matter how a finger is scanned.
d) What does the server do with the key features created by the enrollment scan?
It uses these key features as the template for that user.
e) What is a template?
A template is the file entry containing key features from the enrollment process for a single individual.
f) What is user access data?
This is data collected during an access attempt scan, as opposed to the scanning data during enrollment.
g) What are match indices, and how are they related to decision criteria?
A match index compares access key features with the template. Because scanning never works exactly the same way twice, if the match index is close enough to satisfy the system’s configurable decision criteria, the supplicant is accepted.
Biometric Errors
14. a) In biometrics, what is a match?
In biometrics, a match occurs when a match index (comparison of access key features and the template) meets the decision criteria.
b) Distinguish between false acceptances and false rejections.
A false acceptance occurs when a person is improperly matched to a template. False rejection occurs when a person is improperly not matched to a template.
c) What are false acceptance rates (FARs) and false rejection rates (FRRs)?
These are the percentages of time there is a false acceptance or a false rejection when there is a scan.
d) For computer access, why is a false acceptance bad?
For computer access, false acceptance is bad because someone other than the authorized user, possibly an imposter, will gain access to the resource.
e) Why is a false rejection bad?
False rejection is bad because a legitimate user is denied access to a resource.
f) Which is worse from a security viewpoint?
For computer access, a false acceptance is worse because it allows an unauthorized person through the door, giving the person access to sensitive building space.
g) Which is worse from a user acceptance viewpoint?
A false rejection is worse, because it lets an attacker in.
15. a) For watch lists of criminals, what is a false acceptance?
For watch lists of criminals, a false acceptance means that an innocent person is identified as a criminal.
b) For watch lists of criminals, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain.
For a watch list of criminals, false rejection is worse from a security viewpoint because it means a criminal was not identified.
c) For watch lists of people who should be allowed to enter a room, which is worse from a security viewpoint, a false acceptance or a false rejection? Explain.
From a security viewpoint, a false acceptance is a worse error because it means a non-authorized person has improperly gained access to a resource. A false rejection would merely keep an authorized user out of the space, which is an inconvenience, but harmless in most cases.
16. What is failure to enroll?
Failure to enroll is an error that occurs if a system will not enroll a user, for example if a person does not have well-defined fingerprints.
Verification, Identification, and Watch Lists
17. a) Distinguish between verification and identification.
Verification is an action where the verifier determines whether the supplicant is a particular person that is claimed.
In identification, the verifier determines the identity of the supplicant; the supplicant does not claim to be a particular person.
b) Which requires more matches against templates?
Identification requires more matches against templates than verification because in verification, a specific identity is being claimed by the supplicant. In identification, no identity is being claimed, so the verifier has to review the templates for all users.
c) Which is more likely to generate a false acceptance? Why?
There is a small chance of a false acceptance every time a match is attempted. Because identification requires checking the supplicant against every template in a system, there is a greater chance that identification will generate a false acceptance than verification (which compares the supplicant with only one template).
d) Compare identification with watch list matching.
Watch list matching is a form of identification that identifies a person as being a member of a group. For instance, the matches may be made against the templates of people on a terrorist watch list. A match has to be attempted against each template in the list.
e) Which is more likely to generate a false match? Why?
There is a small chance of a false acceptance with each match attempt. Identification must attempt matches against all templates in the database. Watch lists only require match attempts against the templates of member of the group. Therefore, identification is likely to generate more false matches.
18. a) Suppose that the probability of a false acceptance is one in a million, that there are 10,000 identities in the database, and that there is a watch list with 100 people. What will be the FAR for verification?
Verification only attempts a single match.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is one in a million.
b) For identification?
Identification will attempt 10,000 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 10,000. (0.01).
Therefore, the probability of a false acceptance is 1%.
c) For the watch list?
A watch list will attempt 100 matches.
The probability of a false acceptance for a single match is one in a million.
Therefore, the probability of a false acceptance of verification is 1/1,000,000 times 100. (0.0001).
Therefore, the probability of a false acceptance is 0.01%.
Biometric Deception
19. a) Distinguish between error rates and deception in biometrics.
Error rates measure the accuracy when a supplicant is not trying to deceive the system.
In contrast, deception occurs when an attacker deliberately attempts to fool the system.
b) Why may fingerprint scanning, which is often deceived, be acceptable for entry into a supplies cabinet?
Basically, because a supplies cabinet does not hold sensitive information and it is not likely to get attacked by a sophisticated attacker.
c) When may it not be sufficient?
Fingerprint scanning may not be sufficient when it is used to control access to very sensitive/important resources where the impact of deception is potentially very great.
Biometric Methods
20. a) What is the advantage of fingerprint recognition?
The main advantage of fingerprint recognition is that the technology of fingerprint scanners is inexpensive.
b) What are the disadvantages?
The main disadvantage of fingerprint recognition is that it is easily deceived in all but the most advanced and expensive fingerprint scanner technologies.
c) For what type of use is fingerprint recognition sufficient?
Fingerprint recognition should only be used in applications for which there is little danger of serious deception. An example would be logging into a personal computer that does not hold sensitive information.
d) What is the advantage of iris recognition?
It is the most precise form of biometric authentication, with very low FARs.
e) What are the disadvantages?
The main disadvantage of iris recognition is that the technology is very expensive.
f) Does iris scanning shoot light into your eye?
No
21. a) What is the advantage of face recognition?
The main advantage of face recognition is that it can be used surreptitiously (without the subject’s knowledge).
b) What does surreptitious mean?
Surreptitious means “without the subject’s knowledge.”
c) Where is hand geometry recognition used?
Hand geometry recognition is used mostly in door access control.
d) What are the disadvantages of voiceprint recognition?
One disadvantage of voiceprint recognition is that it is easily deceived by recordings. Another is that high false rejection rates make voice recognition frustrating to users.
e) What are the most widely used forms of biometric authentication?
Fingerprint, iris, face, and hand geometry are the most widely used types of biometric authentication today.
f) What is the most widely used form of biometrics?
The most widely used form of biometrics is fingerprint recognition, primarily because it is cheap.
Cryptographic Authentication
Key Points from Chapters 3
Public Key Infrastructures (PKIs)
22. a) What is the strongest form of authentication?
Cryptographic authentication is the strongest form of authentication.
b) List the functions of a PKI.
Creating public key–private key pairs.
Distributing digital certificates.
Accepting digital certificates.
Learning a certificate’s revocation status.
Provisioning new users and changing data on existing users.
Having strong initial authentication.
c) Can a firm be its own certificate authority?
Yes
d) What is the advantage of doing so?
The advantage of being its own CA means that firms have control of trust in their entire PKI.
e) Who creates a computer’s private key/public key pair?
Private/public key pairs are normally created on the client, versus the PKI server.
f) How do CAs distribute public keys?
In digital certificates.
g) What is provisioning?
In the context of PKI, provisioning is the accepting of public keys and providing new digital certificates to the users (a very expensive component of the PKI).
h) What is the prime authentication problem?
The prime authentication problem is that unless individuals are carefully vetted before being allowed in a system, imposters can simply enroll through social engineering.
i) What can be done to reduce this risk?
The only thing that can be done to reduce the risk of the prime authentication problem is have strong procedures for who may submit a request for an account, who may approve it (always a different party than the applicant), what identification is required, and how to handle exceptions. The procedure must be carefully enforced and audited.
Authorization
The Principle of Least Permissions
23. a) Why are authorizations needed after a person is authenticated?
Simply knowing the identity of the communicating partner is not enough. The specific authorizations of the communicating party also need to be defined. Not everyone who is authenticated may be allowed to do anything he or she wishes in every directory.
b) What is another name for authorizations?
Permissions
c) What is the principle of least permissions?
The principle of least permissions is that each person should only get the permissions that he or she absolutely needs to do his or her job. In practice, this is very difficult to enforce, primarily because there are not enough security personnel to keep track of transient permission requirements.
d) Why is it a good way to assign initial permissions?
Following the principle of least permissions is a good way to assign initial permissions because any error will likely be too restrictive (an inconvenience). Errors will not result in excessive permissions, which would be security violations. In essence, the system would fail safely.
e) What is bad about assigning all permissions and then taking away the permissions a user does not need?
The bad thing about assigning all permissions and then taking away those not needed is that it is easy for security to mistakenly not remove a permission that is not required, thus allowing access beyond that authorized.
f) What does failing safely mean in a security system?
Failing safely in a security system means that a failure is not likely to lead to security violations. The principal of least permissions ensures that users are not given too many permissions if an error is made.
Auditing
Logging
Log Reading
24. a) What is auditing?
Auditing records and analyzes what the person or program actually did, rather than what was theoretically authorized.
b) Why is it necessary?
Unless authentication and authorization activities are audited frequently, improper behavior can go on for a very long time.
c) Why is log reading important?
Logging records the actions that an account owner takes on a resource. Unless logs are studied/read, they are useless.
d) What are the three types of actions that should be taken on log files?
They should be read regularly by someone that knows what they are looking at.
External auditing should be conducted periodically.
Automatic alerts should be established to provide security administrators with real-time feedback.
e) Why are automatic alerts desirable?
Reading log files only tells you about the past. Ideally, logging systems should have active log-reading functions that send the security administrator real-time alerts for certain types of events.
Central Authentication Servers
The Need for Centralized Authentication
25. a) What are the three devices in central authentication using RADIUS servers?
The three devices in central authentication are the supplicant, authenticator, and RADIUS central authentication server.
b) What is the role of the authenticator?
To send the supplicant’s credentials to the authentication server and then sends a message of authentication back to supplicant from authentication server.
c) What is the role of the central authentication server?
To test the validity of credentials provided by the user.
Kerberos
26. a) In Kerberos, distinguish between the ticket granting ticket and the service ticket.
The ticket granting ticket is the supplicant’s proof that it has already authenticated itself with the Kerberos server. The service ticket is an encrypted session key that only the verifier can decrypt (due to sharing a key with the Kerberos server in a separate communication).
b) What information does the service ticket give the verifier?
The service ticket gives the verifier the symmetric session key to use with the supplicant. The session ticket may also contain permissions that the supplicant should have on the verifier.
c) How does the supplicant get the symmetric session key?
The supplicant gets the symmetric session key from the Kerberos server when the service ticket is sent to the verifier; the session key from the Kerberos server is encrypted to only be read by the server and supplicant.
d) Is the verifier notified explicitly that the supplicant has been authenticated? Explain.
The verifier is not notified explicitly that the supplicant has been authenticated. Authentication is implicit in that if the supplicant has the symmetric session key to communicate with the verifier, it must have been authenticated with the Kerberos server (which generated the session key and would only give it out to an authenticated computer).
Directory Servers
What Are Directory Servers?
Hierarchical Data Organization
27. a) How is information in directory servers organized?
The information in directory servers is organized as a directory server database schema in a hierarchical collection of objects.
b) What are the top two levels of the organization?
Top level = the Organization. This is the name of the organization.
Below the top level are organization units (OU). There can be many OUs.
c) Do directory servers only hold information about people?
They hold information about many other types of company resources, such as computers.
Lightweight Data Access Protocol (LDAP)
28. What is LDAP’s purpose?
LDAP’s main purpose is to retrieve data from the directory server. However, it can also be used to update information in the directory server.
Use by Authentication Servers
29. a) How do central authentication servers often get their authentication information?
Central authentication servers often get their authentication information from directory servers.
b) What is the advantage of this?
It permits the directory server to be the company’s main repository for information.
Active Directory
30. a) What is Microsoft’s directory server product?
Microsoft’s directory server product is Active Directory (AD).
b) What is the smallest organizational unit in Active Directory?
The organizational unit.
c) What two things does a domain controller contain?
The domain controller contains an active directory database and a Kerberos authentication server program.
d) Can a domain have multiple domain controllers?
Yes
e) What is the advantage of having multiple domain controllers?
The advantage is that having multiple domain controllers gives reliability in case one crashes or is successfully attacked.
f) Into what larger structures are domains organized?
Trees
g) Into what larger structure can trees be organized?
Forests
h) Describe replication among domain controllers within a single AD domain.
Within a single AD domain, there is total replication between domain controllers.
i) Describe replication between a domain controller in one domain and the domain controller in the parent domain.
There is partial replication of data to the next-higher-level database.
Trust
31. a) Distinguish between mutual and one-way trust among AD domains.
In mutual trust, each directory server trusts the other.
In one-way trust, one directly server trusts the other, but there is no trust in the opposite direction.
b) Distinguish between transitive and intransitive trust.
An example of transitive trust would be if A trusts B and B trusts C, then A trusts C automatically. An example of intransitive trust would be if A trusts B and B trusts C, this does not mean that A trusts C automatically.
c) What principle should companies follow in making trust assignments?
Give only as much trust as necessary.
Toward Full Identity Management
Other Directory Servers and Metadirectories
32. a) Why are metadirectory servers needed?
To coordinate information across different types of directory servers.
b) What do metadirectory servers do?
The metadirectory server gets the directory servers to exchange information and to synchronize services in a variety of ways.
Federated Identity Management
33. a) In federated identity management, do firms query one another’s identity management databases?
In federated identify management, firms do not query one another’s identity management databases. Instead, they send assertion statements that may include authenticity, authorization, and attribute information.
b) What do they do instead?
They send assertions to each other.
c) What risk does this method avoid for the firm sending the security assertion?
This method avoids the risk of potential attacks from the other company because the other company never gets direct access to corporate resources.
d) How are risks to Firm B reduced?
The firms first carefully negotiate a contract before hand. The contract specifies penalties if Firm A sends false assertions.
e) What is a security assertion?
An assertion is a statement from Firm A to Firm B that Firm B should accept as true if Firm B trusts Firm A.
f) What three things may it contain?
Authenticity information, such as the employee is an employee by that name and has been authenticated by Firm A.
Authorization information stating that the employee is allowed to access Firm B’s services.
Attributes that describe features of the employee (such as spending limit).
g) What is the main standard for one firm to send security assertion to another firm?
The main standard for sending security assertions today is the Security Assertion Markup Language (SAML).
h) What is the major benefit of using XML?
The major benefit of using XML in SAML is that it is platform independent; this means that it does not matter what programming language either firm uses as long as they implement XML successfully.
Identity Management
34. a) What is identity management?
Identify management is the centralized policy-based management of all information required for access to corporate systems by people, machines, programs, or other resources.
b) What are the benefits of identity management?
Reduced costs by reducing the work need to manage user access, including provisioning, password resets, and so forth.
Enforcing consistency by permitting a single change on an identity management server to affect employee access permission on all servers in an organization.
Centralized auditing of all an employee’s access permissions across a firm
Possible use of single sign-on or at least reduced sign-on.
c) What is SSO?
Single sign-on allows a user to authenticate himself or herself to the identity management server once; from that point on, whenever the user asks for access to a specific server, no additional logins are required.
d) Why is full SSO generally impossible?
It is technically impossible.
e) What is reduced sign-on?
It is single sign-on to some resources but not all resources as in full SSO.
f) What is an identity?
An identity is the set of attributes about a person or resource that must be revealed in a particular context.
g) Why is providing minimum identity data an important principle?
You will not accidentally reveal information about yourself that you do not have to reveal and that may be used against you.
35. a) In identity management, what are provisioning, reprovisioning, and deprovisioning?
Provisioning entails granting authorizations and authentications carefully and then changing them whenever roles or other conditions change. Reprovisioning occurs when there are changes.
Deprovisioning occurs when the authorizations and authentications are no longer appropriate (employee leaves the company).
b) Why is decentralized management desirable?
Decentralized management is desirable because identities should be managed by people closest to the situation.
c) Why are self-service functions desirable?
To reduce costs of the identity management staff.
d) What changes should be made through self-service functions?
Only nonsensitive information changes should be made through self-service functions.
Trust and Risk
36. a) In what sense is identity management really just another form of risk management?
Identity management affords risk reduction by reducing risk from individuals accessing computer resources to acceptable levels. Risk reduction is the primary risk management technique.
b) How can identity management reduce risk?
Identity management can reduce risk by limiting the amount of potential damage an employee can do based upon computer resource privileges, as well as affords detection (via auditing) of malicious activities in real time.
c) How much should companies spend on identity management?
A company must balance these risk reductions with the amount of money that identity management will cost to implement over their entire life cycle.